Security

Force Splunk to use TLS 1.2

cam343
Path Finder

Hello,

All of our Splunk infrastructure utilises our in house PKI for Splunk to Splunk communication. Moving forward can we force the use of TLS v1.2?
I know about supportSSLV3Only = true/false

SSLV3 is getting old and obsolete [1]. Please don't comment regarding SSLv3 is fine the question is in regards to TLS v1.2 and future proofing.

Perhaps it's on the road map for future versions of Splunk?

[1] https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.3.pdf - Section 2.2

Tags (2)
0 Karma

brynsmith
Explorer

I changed these settings ages ago, but my Security department wouldn't believe that it was disabled without proof.
I ran an openssl command from a forwarder to test:
openssl s_client -connect splunk-index-dev-01.example.com:9997 -tls1_2
and it worked as expected, giving me standard connection info.
Then I ran the same command for ssl3, and it gave me the same connection info:
openssl s_client -connect splunk-index-dev-01.example.com:9997 -ssl3
Doing the same command with ssl2 on the end showed that it was not enabled for ssl2.

I doublechecked my settings, and I had sslVersions = tls1.2 set in server.conf on the indexer and outputs.conf on the forwarder, and there was no change.
After a great deal of back-and-forth with Splunk tech support, we figured out that we needed to set sslVersions = tls1.2 in inputs.conf on the indexer, and nothing in the forwarder, not in outputs.conf, not in server.conf, nowhere at all on the forwarder, and also take it out of server.conf on the indexer.


pickerin
Path Finder

Just an FYI, as of PCI DSS 3.1, if your Splunk installation is in scope (and it probably is if you're forwarding logs from in-scope systems), you're required to use TLS 1.2 only.

https://support.cloudflare.com/hc/en-us/articles/205043158-PCI-3-1-and-TLS-1-2

0 Karma

julietjake
Explorer

http://docs.splunk.com/Documentation/Splunk/6.1.5/Admin/Inputsconf

I suspect your question may have been pre-dated 6.1.5, but you can select tls1.2 as the sslVersion in the inputconf.

sslVersions =
* Comma-separated list of SSL versions to support
* The versions available are "ssl2", "ssl3", "tls1.0", "tls1.1", and "tls1.2"
* The special version "" selects all supported versions. The version "tls"
selects all versions tls1.0 or newer
* If a version is prefixed with "-" it is removed from the list
* When configured in FIPS mode ssl2 and ssl3 are always disabled regardless of this configuration
* Defaults to "
,-ssl2". (anything newer than SSLv2)

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...